The Bing teams are learning a lesson only Austrians and, more specifically, Misesian praxeologists, seem to be alone in grasping: that there are no constants in human action, and therefore that predictions of social phenomena are impossible. Pattern predictions, as Hayek called them, may not be impossible, but predictions of exact magnitudes are. For instance, we can rely on economic law (such as “demand curves slope downward”) to estimate an outcome such as “the price will be lower than it otherwise would have been,” but we can’t say exactly what that price will be. [Source]
HK – Hong Kong DPA Requires Data Subject Consent and DPA Authorization When Using Matching Procedures
The Privacy Commissioner for Personal Data (“PCPD”) issues guidance on matching procedures. Matching procedures cannot be carried out unless consent has been received from data subjects (voluntary express consent) and authorisation has been obtained from the DPA; the personal data collected for the procedure cannot be used for a new purpose (directly related or any other purpose) unless data subjects have given express consent. [PCPD Hong Kong – Information Leaflet – Matching Procedure – Some Common Questions]
The Office of the Privacy Commissioner (OPC) of Canada’s 2014-2015 Privacy Act annual report was tabled by Parliament. Privacy Commissioner Daniel Therrien said the number of complaints to the OPC increased slightly during the fiscal year, totaling at 3,977. Therrien has identified four strategic privacy priorities for the next five years, including: the economics of personal information; reputation and privacy; government surveillance, and the body as information. [OPC Press Release] [Federal Government Must Do More to Prevent Breaches] [Globe&Mail: Therrien Wants “Exhaustive Debate” on Bill C-51]
Alberta Privacy Commissioner Jill Clayton says she’s alarmed by a near doubling of privacy breaches as well as concerned about “the growing number of court challenges of her investigations.” In her annual report, Clayton said the number of self-reported breaches is up 86% this year compared with the last. Breaches reported include information contained on mobile devices that is not encrypted as well as snoopers spying on family, friends and neighbors. Clayton also said government challenges to her cases are costing taxpayers money and delaying results. [Calgary Herald] See also [A BC Information and Privacy Commissioner adjudicator said government bureaucrats have the right to refuse to disclose email logs and also that it’s unreasonable to release the data with personal information redacted.]
The trend toward storing data on servers anywhere and everywhere, rather than on drives kept physically on site, runs directly into a BC privacy law. It was written 11 years ago to safeguard against U.S. snooping that was allowed by the far-reaching USA Patriot Act. It gets reviewed every 5 years by a committee. Another review is underway, and members have heard an earful recently about how that privacy safeguard — Section 30.1 — hampers public agencies trying to do business in the interconnected world. “It erodes our competitiveness. It’s preventing us from using world-class tools that other universities use in other jurisdictions. It’s adding costs and administrative complexity” says University of B.C. lawyer Paul Hancock (who was representing the four research universities). The College of Registered Nurses has also weighed in on the question of why private bodies routinely handle B.C. citizens’ personal information outside of Canada, but public bodies are forbidden from doing so. [The Victoria Times Colonist]
Timothy Banks provides an overview of concerns about the Ontario Police Records Checks Reform Act, 2015. The Ontario legislature passed the bill last week, but prior to that the Standing Committee heard concerns from stakeholders including the Association of Children’s Aid Societies, the National Association of Professional Background Screeners, the Ontario Nonprofit Network and the Civil Liberties Association. Banks offers an overview of those concerns, where they landed and what the government needs to do to make the law operational. [Full Story] [Ontario Breach Notification Bill Gains Traction]
The Throne Speech does not specifically reiterate Trudeau’s vow to repeal or amend controversial provisions in anti-terrorism legislation passed by the previous Conservative government. Among other things, Trudeau has promised to create a multi-party parliamentary oversight committee to monitor the activities of departments and agencies with responsibility for national security. He has also promised to amend the legislation so that it’s clear that legal protests or advocacy can’t be construed as terrorist activities. In what is likely meant to be an indirect reference to those promises, the throne speech says only that “the government will continue to work to keep all Canadians safe, while at the same time protecting our cherished rights and freedoms.” [National Post] See also: [Why nobody should bet on Trudeau ‘fixing’ C-51]
“The facts about student data privacy in Google Apps for Education and Chromebooks” responds to the Electronic Frontier Foundation (EFF) complaint regarding Google Apps for Education (GAFE) and other products and services especially Chrome Sync. “While we appreciate the EFF’s focus on student data privacy, we are confident that our tools comply with both the law and our promises, including the Student Privacy Pledge, which we signed earlier this year. …I want to reiterate some important facts about how our products work, how we keep students’ data private and secure, and our commitment to schools, more broadly… [Google Apps Blog]
Gemalto’s newest global survey entitled “Broken Trust: ‘Tis the Season to Be Wary,” found that 64% of respondents felt they were “unlikely to shop or do business again with a company that had experienced a breach where financial information was stolen,” with 49% feeling that way regarding the loss of their personal information. “The media coverage of massive data breaches has done little to instill consumers’ confidence in how well companies, big and small, are protecting their data,” said Gemalto. “Either companies need to increase their security measures or, assuming that they already have these in place, they need to communicate this to their customers.” [Dark Reading]
OpenALPR boasts a cheap license plate reader (LPR) that interested shoppers can purchase online, and privacy advocates agree that the practice is legal. “There is not much in the law that would prevent someone from using the technology unless its use rises to the level of stalking or harassment,” said the Electronic Frontier Foundation. “License plates are exposed to public view, and ALPR companies like Vigilant consistently argue they have a First Amendment right to photograph plates and retain the data they collect.” [Ars Technica]
EHRs are designed to support billing more than patient care, experts say. It shouldn’t come as a surprise that most doctors are unhappy with their electronic health record (EHR) systems, which tend to be clunky, hard to use and may actually get in the way of truly excellent patient care. Doctors’ biggest complaint about the EHR is that it slows them down, especially in the documentation phase. “Compared to handwriting or dictating, EHRs take doctors 9 times longer to enter the data… Sure, you have more information in the EHR than in paper records, but it takes more time.” Other alerts go off to prevent adverse drug interactions with other medications, allergies, or foods. Many of these are inapplicable to particular patients, and after a while, doctors may stop paying attention to them or turn them off. Three quarters of EHRs don’t allow the customization of these alerts. [Source]
US – Comey Calls on Tech Companies Offering End-to-End Encryption to Reconsider “Their Business Model”
Comey and other government representatives have been pressuring companies like Apple and Google for many months in public hearings to find a way to provide law enforcement access to decrypted communications whenever there’s a lawful request. Deputy Attorney General Sally Quillian Yates said in a July hearing that some sort of mandate or legislation “may ultimately be necessary” to compel companies to comply, but insisted that wasn’t the DOJ’s desire. Now, there’s little pussyfooting about it. “There are plenty of companies today that provide secure services to their customers and still comply with court orders,” he said. “There are plenty of folks who make good phones who are able to unlock them in response to a court order. In fact, the makers of phones that today can’t be unlocked, a year ago they could be unlocked.” [The Intercept] SEE ALSO: [Senator Feinstein Working on Legislation to ‘Pierce’ Encryption] and [Don’t breach encryption warns privacy watcher] [How not to report on the encryption ‘debate’ ]and [Advocates and White House Officials Meet To Discuss Encryption Backdoors]
The European Union agreed to its first cybersecurity law, dubbed the Network and Information Security Directive (NISD), which mandates certain companies, like those operating critical infrastructure or financial services, along with Internet companies such as Amazon and Google, to report large-scale security incidents. “The internet knows no border—a problem in one country can have a knock-on effect in the rest of Europe,” said the European Commission’s Digital Chief, Andrus Ansip. “This is why we need EU-wide cybersecurity solutions. This agreement is an important step in this direction,” he added. “Member states will have to cooperate more on cybersecurity, which is even more important in light of the current security situation in Europe,” said European Parliament’s Rapporteur Andreas Schwab in a Computer Weekly report. [Reuters] [Hogan Lovells Summary: Agreement Reached on First EU-Wide Rules to Improve Cybersecurity]
A EU Parliament press release reports that the rapporteur on the general data protection regulation, Philipp Albrecht, is optimistic that the three-way trilogue discussions will result in a final deal by the end of 2015. Learn more
The European Data Protection Supervisor (“EDPS”) has established an external advisory group on the ethical dimensions of data protection; members of the Advisory Group will be appointed for a term from February 1, 2016 till January 31, 2018. Learn more
A Star editor was not happy to be told on a trip to Colonel Sam Smith Skating Rink with his kids that he was allowed to take photos. The city says he technically needs permission, but staff are supposed to use discretion. Since at least 2001, the City of Toronto has had a policy stating:” Patrons wishing to use cameras, video cameras or other photographic devices, including camera phones and PDAs (Personal Digital Assistants), in any program or facility must receive permission from staff before filming. Pictures may only be taken of children/patrons in their personal care. Every attempt should be made to limit or eliminate other patrons from being filmed in the background. When possible staff should make a verbal request for permission to photograph other patrons who may be in the area where pictures are being taken” [Source]
Identity theft, payment fraud and data privacy concerns remain the biggest barriers to mass adoption of mobile payment services, according to an Inside Secure survey of 1,217 American consumers. The survey revealed that 17% of respondents who did not make holiday purchases with their mobile phone last year, plan to use a payment service such as Apple Pay, Android Pay, Samsung Pay or a proprietary service from their bank or card issuer to make the leap to mobile payments this holiday season. Seventy percent of people who are not planning to use their smartphone to make in-store holiday purchases state that their concerns about identity theft prevent them from using in-store mobile payment applications. 70% state that their concerns about mobile payment fraud prevent them from using in-store mobile payment apps, and 71% stated that the privacy of their transaction data was a top concern.
The Information Commissioner’s Office praised the work of journalists and said the introduction of flat rate fees would be “disproportionate”. On protection given to “internal deliberations of public bodies”, the ICO said current exemptions under section 35 and 36 of the act are “sufficient”. Graham said: “The danger is that the Whitehall machine might run more smoothly, [but] you are back to that world of private government – which I just don’t think fits with the 21st century.” He also suggested Whitehall’s “concern” over the FoI Act is “slightly overdone”, saying a “very small minority” of cases that come to his office result in defeats for the Government. [Source]
The Alberta Office of the Information and Privacy Commissioner released an investigation report that found Alberta Health has failed to provide the required oversight to prevent privacy breaches involving electronic health records. The report found a legally-mandated committee charged with overseeing stewardship of data made available through Netcare was effectively disbanded two years ago. Netcare contains millions of records – including lab results, drug prescriptions and hospital discharge summaries – that can be accessed electronically by over 44,000 registered users in health care facilities and doctors offices around the province. [Source]
Smaller healthcare breaches, like revealing Facebook statuses by doctors or the inappropriate sharing of patient files, rarely get the Office for Civil Rights’ (OCR) focused attention and enforcement efforts that large-scale breaches do. “Health providers are required to notify the office within 60 days of breaches affecting at least 500 people and also must share details with the media and contact those potentially affected.” “Rarely do small privacy breaches get anywhere near the same attention, except when they involve celebrities or high-profile individuals.” Tthis September, the Health and Human Services’ “inspector general issued a pair of reports that criticized [the OCR], including its handling of small breaches,” which found that the “OCR did not investigate the small breaches reported to it or log them in its tracking system.” [NPR]
A Privacy Analytics survey of 271 healthcare professionals determined that more than two thirds of respondents lack confidence in their organizations to share data while protecting privacy. “Confidence in protecting privacy is correlated to an organization’s data management practices,” the survey states. “Respondents whose organizations use de-identification software or third-party de-identification services are more likely to have complete confidence in the ability to responsibly share data for secondary use.” Meanwhile, a CIO Summit survey discovered that “board and leadership involvement is essential in creating the right solutions and strategies for healthcare organizations.” [HealthITSecurity]
The Online Trust Alliance (OTA) has released a checklist aiming to help consumers avoid getting hacked as they use any of the 50 million smart devices that will be sold over the holiday season.” That’s 50 million opportunities for data and home network compromises as well as privacy abuses, which is why it’s imperative that consumers follow our guidelines,” said OTA executive director and president. “Consumers should not have to pay twice—once with their credit card and then again in perpetuity with their personal data, identity and safety.” The checklist can be found here. [NetworkedWorld]
Scientific American reports on the increase in mental healthcare apps and the privacy concerns that come along with such sensitive data collection. New mobile devices help users diagnose and monitor mental health symptoms, but in order to do so, such technology needs to passively gather constant streams of personal data—including sleep patterns and physical activity. In addition to an alleged lack of evidence-based research proving mental health apps are working, there is also concern that privacy is not appropriately protected. A task force set up earlier this year by the American Psychiatric Association noted, “This is a challenging task given the lack of clinical data on how apps can help or harm patients, serious concerns about privacy and data security and the need for more discussion on related ethical issues.” [Scientific American] In 2013, a study in the JMIR mHealth uHealth, revealed that only five apps targeting depression, anxiety and substance abuse had been tested for clinical effectiveness. A similar study this May in Internet Interventions showed that by last November there were only 10 peer-reviewed published articles for depression apps, and four for bipolar disorder.
An employee of the center provided a list of patient information (names, addresses and diagnoses) to her future employer. The agreement requires the center to provide to the Attorney General its privacy, security and breach notification policies and procedures and notification of any breach of unsecured PHI; all staff must be trained on any new or revised policies and procedures. [New York State Office of the Attorney General – A.G. Schneiderman Announces Settlement With University Of Rochester To Prevent Future Patient Privacy Breaches | Press Release | Settlement Agreement]
Two mothers have filed a class-action against Mattel claiming the company’s Hello Barbie doll “invades children’s privacy.” The doll uses speech recognition software to talk to kids and then stores the conversations in the cloud, the report states. Users must register the doll and create an account, at which point parents receive an e-mail stating recordings won’t be used for ads and any personal information collected in conversation will be deleted. The plaintiffs say the doll doesn’t comply with the Children’s Online Privacy Protection Act (COPPA) in part because children across the country, friends of doll-owners, have been recorded without their parents’ permission. [Full Story]
After January 12, 2016, Microsoft will no longer provide updates for older versions of Internet Explorer (IE). One estimate suggests that as many as 124 million users are running Internet Explorer versions 10 and earlier. The only version of IE that will continue to receive updates after January 12, 2016 is IE 11. [Microsoft] [ZDNet]
Microsoft is scheduled to end Extended Support Windows XP Embedded, which is still running on many of the UK’s 70,000 cash machines. ATM owners are urged to upgrade their systems prior to January 12, 2016, after which time Microsoft will no longer provide updates. [v3.co.uk]
Organisations should monitor the following topics in 2016 – Safe harbor 2.0 (may depend on the outcome of the Judicial Redress Bill which is currently before the Senate) and the Network Information Security Directive (“NISD”) which is to be published in 2016 by the European Commission (it will require organisations to take appropriate technical and organisational measures to manage risks posed to the security of networks and report “significant cyber security incidents” to regulators). [Source]
US – Multinational Hotel Chain Must Maintain Detailed Security and Audit Program as Part of 20-Year Settlement Agreement with FTC
The FTC is granted an injunction against Wyndham Hotel Group in relation to alleged unfair and deceptive security practices in violation of the FTC Act. The FTC had filed a lawsuit against Wyndham in 2012 alleging unfair acts or practices related to a security breach. The chain is required to implement and maintain a comprehensive security program (e.g. appointing an individual(s) responsible for the program and conducting risk assessments); a written assessment of the chain’s compliance with the approved standard (defined as PCI DSS or a comparable standard submitted by the chain and approved by the FTC) must be conducted by a qualified and independent third party assessor annually, and within 180 days of a breach of more than 10,000 unique payment card numbers. [FTC v. Wyndham Worldwide Corporation, et al. – Stipulated Order for Injunction – United States District Court For The District Of New Jersey]
The FCC reclassified broadband as a Title II common carrier service and as a result, the FTC’s jurisdiction over ISP practices is limited; the FTC is concerned that what appears to be a “strict liability” data security standard will actually harm consumers since the costs imposed by a regulator on a legitimate, non-fraudulent company are ultimately born by its consumers (a recent Order by FCC fined an ISP $595,000 when there was no evidence of any consumer harm). [Source]
US – Class Action Lawsuit Alleges Smart TV Manufacturer’s Tracking Software Surreptitiously Collects and Discloses Users’ Viewing Habits
A class action lawsuit filed against Vizio, a smart TV manufacturer, and Cognitive Media Networks, a tracking technology company, (collectively, the “Defendants”) alleges violations of the Video Privacy Protection Act (“VPPA”) and various California laws. [Palma Reed et al. v. Cognitive Media Networks, Inc. and Vizio, Inc. – Class Action Complaint and Demand for Jury Trial – In the United States Court For The Northern District Of California San Francisco Division]
US – Advocacy Group Says All Drones Should be Registered and All Operating Drones Should Have GPS Tracking
An advocacy group submits comments in response to the Federal Aviation Administration (“FAA”)’s request for public comments on drone registration requirements. The FAA should mandate registration for all drones (regardless of size) and require any drone operating in national airspace to include a GPS tracking feature that would always broadcast the owner identifying information; the registration database of commercial operators should be publicly available, but privacy protections should be implemented for hobbyist operators (restricting the use and release of their information for specific purposes).[Comments to the U.S. Department of Transportation, Federal Aviation Administration – Clarification of the Applicability of Aircraft Registration Requirements for Unmanned Aircraft Systems (UAS) and Request for Information Regarding Electronic Registration for UAS – Electronic Privacy Information Center]
New technology released this week purports to protect the privacy of users by providing “invisible connections and invisible computers.” Dispel CEO said “We have built an engine that allows us to dynamically generate unattributable, encrypted and ephemeral infrastructure using multiple cloud providers.” The system connects a user’s device to Dispel’s network in a way that does not reveal the user’s identity, location or content. “We are a totally new proprietary technology …There are no fixed network targets and nothing is publicly listed, so users don’t need to trust a random stranger.” [eWeek]
Cloud provider Skyhigh took stock of 500 companies it serves, finding that 39% of cloud-sent “corporate data” finds its way to file-sharing applications. However, “worryingly from a data security perspective, the average organization shares documents with 826 external domains, which includes business partners and personal email addresses,” the report states, adding that 9.2% of data shared externally includes delicate information. “While there are a lot of numbers in here, there are some patterns that will either be of concern (if you’re a security-conscious CIO within a highly regulated industry) or positive (if you’re involved with a cloud file sharing solution provider),” the report continues. “Either way, surfacing this sort of data helps everyone plan and react to what is going to be a continuing pattern of use.” [Computerworld]
A law firm discusses the regulation of and the Canadian approach to the Internet of Things (“IoT”). Regulations that are not in line with international approaches can lead to increased regulatory compliance costs to enter the Canadian market and increased barriers to Canadian companies entering global markets; suggested practices issued by the US FTC include data minimization, prioritization of building security into devices, adequately training employees, monitoring devices and reporting security breaches to consumers. [The Internet of Things – Guidance Regulation and the Canadian Approach – Kirsten Thompson and Brandon Mattalo – McCarthy Tetrault]
A cybersecurity report released by the Association of Corporate Counsel has found the most common reason for a data breach at companies is employee error. The report surveyed more than 1,000 in-house lawyers in 30 countries and found 30% of breaches in 2015 were the result of employee error,. Other causes included unauthorized access to data by insiders and phishing attacks. 50% said their company has cyber insurance, with 68% reporting coverage of $1 million or more. [Wall Street Journal]
The president of the Privacy and Access Council of Canada says it’s not just individuals and small businesses who are shelling out to hackers who infect their computers with viruses. “Police departments and law firms are very, very attractive targets and they pay quite often,” said Sharon Polsky, a Calgary data protection and privacy expert. “If it’s worth it to them to regain control of their information, absolutely they’re going to pay it,” she said. [CBC]
FBI executive assistant director for science and technology Amy Hess acknowledged that her agency uses zero-day vulnerabilities in the course of its investigations. Hess also said that the FBI has never issued a gag order to police regarding the use of cell-site simulator technology, often referred to as StingRay. What the FBI does not want disclosed are the “engineering schematics,” or technical details about how the device works. [Washington Post] [ArsTechnica] SEE ALSO: [Feds Ordered to Disclose Data About Wiretap Backdoors] [Judge prods FBI over future Internet surveillance plans]
A federal judge is ordering the Justice Department to disclose more information about its so-called “Going Dark” program, an initiative to extend its ability to wiretap virtually all forms of electronic communications. The ruling by U.S. District Judge Richard Seeborg of San Francisco concerns the Communications Assistance for Law Enforcement Act, or CALEA.
Report deals with video surveillance cameras, body worn cameras, Automated Number Plate Recognition. [Report]
A United Nations report calls calls for Internet surveillance, saying lack of “internationally agreed framework for retention of data” is a problem, as are open Wi-Fi networks in airports, cafes, and libraries. The United Nations is calling for more surveillance of Internet users, saying it would help to investigate and prosecute terrorists. A 148-page report titled “The Use of the Internet for Terrorist Purposes” warns that terrorists are using social networks and other sharing sites including Facebook, Twitter, YouTube, and Dropbox, to spread “propaganda.” The report, released at a conference in Vienna convened by UNODC, concludes that “one of the major problems confronting all law enforcement agencies is the lack of an internationally agreed framework for retention of data held by ISPs.” Europe, but not the U.S. or most other nations, has enacted a mandatory data-retention law. [CNET]
The Office of Personnel Management’s (OPM) Inspector General (IG) publicly released its report this week, which found the agency improperly handled how it awarded its contract to the company responsible for the first round of data breach notifications, prompting House Overisght Committee Chairman Jason Chaffetz (R-UT) to call for the resignation of OPM Chief Information Officer Donna Seymour. “I write once again to augment my concerns that Ms. Donna Seymour … is unfit to perform the significant duties for which she is responsible,” he said. “It is troubling that yet another IG report has found that Ms. Seymour failed to effectively fulfill her duties.” According to the IG, the agency’s contractual agreement with vendor CSID violated federal contracting regulations in five ways, including inadequate market research and unreliable contract file. [CNN]
The American Library Association, the world’s oldest and largest library affiliation, has joined with 18 other groups to issue a letter to the White House and Congress urging lawmakers to oppose the final version of a bill they claim will dramatically expand government surveillance while failing to tackle cyber-attacks. Politicians from both sides of the House have been pushing for stronger cybersecurity measures in the wake of the Paris attacks and the recent San Bernardino shooting. Republican House speaker Paul Ryan has been leading the charge to push through legislation and reconcile two bills, the Protecting Cyber Networks Act (PCNA) and the National Cybersecurity Protection Advancement with the Cybersecurity Information Sharing Act of 2015 (CISA), a controversial bill that passed a Senate vote in October. According to the letter’s signatories, the proposed “conference” legislation would:
- Create a loophole that would allow the president to remove the Department of Homeland Security, a civilian agency, as the lead government entity managing information sharing.
- Reduce privacy protections for Americans’ personal information.
- Overexpand the term “cyber threat” to facilitate the prosecution of crimes unrelated to cybersecurity.
- Expand already broad liability protection for information disclosure.
- Pre-empt state, local or tribal disclosure laws on any cyber-threat information shared by or with a state, tribal or local government.
- Eliminate a directive to ensure data integrity.
Moreover, they argue, the legislation would dramatically expand the amount of sensitive information held “by government agencies with dismal records on data security” and institute “blind, automatic transfer of personal information to intelligence agencies, including the National Security Agency, that would be authorized to use the information for non-cybersecurity purposes.” [The Guardan]
Student data privacy legislation has been on a tear recently. At the state level this year, 47 states have introduced 186 bills addressing student data privacy, and 15 states passed 28 new laws. Much of the legislation is modeled on California’s landmark Student Online Personal Information Protection Act, effective January 1. Both the U.S. Senate and the House have responded to President Barack Obama’s call for enhancing student data safeguards under the Family Educational Rights and Privacy Act with new legislative proposals. If there’s one privacy goal that commands widespread political support, it’s the protection of student data. But protection from what? [IAPP News] [Data Quality Campaign]
There has been an increase in available technology to help organizations better monitor their employees to help protect their property and assets. Any time a business engages in employee monitoring, they also risk alienating their employees or even running afoul of state or federal law. But what kinds of questions should organizations be asking when deciding to track and monitor their workforce? This article looks into an array of monitoring techniques and lays out the types of questions privacy pros should consider when engaging in this important, but potentially controversial, activity. [Full Story]